What is WordPress XML-RPC and How To Stop an Attack

Let me start by introducing XML-RPC. It is a set of specification that offers a portable way to make remote procedure calls over HTTP.

Here, RPC stands for Remote Procedure Call that offers developers a mechanism for defining interfaces that can be called over a network. The client specifies some procedures and parameters in the XML request, and the server returns either a fault or a response in the XML response.

Through XML-RPC, you can integrate multiple computing environments and establish communications quickly and easily.

WordPress basically uses XML-RPC interface.

WordPress first implemented XML-RPC since WordPress 3.5. Previous versions were consisted of in the xmlrpc.php file in the root directory. To turn on XML-RPC, you had to enable it manually. It was done by following steps:

Now, the file has changed in functionality by a neat little class ‘wp_xmlrpc_server’. You can see this in wp-includes/class-wp-xmlrpc-server.php. It consist of 48 WordPress functions, 7 Blogger functions, 6 MetaWeblog functions, 8 MovableType functions and 4 functions for pingbacks.

Problems with WordPress XML-RPC:

Through XML-RPC, WordPress offers developers a way to build write applications that can do many of the things. But, there are two problems with it i.e., its extendability and its security.

Many WordPress attacks are exploiting the XML-RPC feature to gain access to sites. Most common type of attacks- Brute force attacks and DDoS (Distributed Denial of Service).

Brute force attacks:

Brute force attacks are most common in WordPress site. Hackers try to access your dashboard by many login attempts.

WordPress has common admin URL i.e., wp-admin. Thus, hackers took advantage of it. By using secret method of XML-RPC, attackers launch brute force attacks that are very hard to detect. The attacker exploits XML-RPC request by trying an endless number of username/ password combinations until they gain entry into your site.

DDoS (Distributed Denial of Service) attacks:

Another common type of attack is DDoS (Distributed Denial of Service). Here, an attacker tries to launch the DDoS attack by sending a number of pingbacks requests that may hog the server and slow your site down.

Note: Keep in mind that you are disabling a major API in WordPress. If you are using Jetpack, then let me remind you that Jetpack heavily relies on XML-RPC to provide its features. Disabling XML-RPC may impact Jetpack and its certain features.

Conclusion:

I hope this article might clean up your some confusions about XML-RPC. If you still have some doubts, let me clear them in the comment section below.

Amit Malewar has been the tutorial writer since 2013. His passion for helping people in all aspects of technology flow through in the expert coverage he provides. In addition to writing for InfoPhilic, Amit loves to read and try new things.